Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Pigskin-Referee writes "Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an advisory is issued."

Since Adobe and Java are widely ignored by the general population because they have hundreds of icons on their system tray. I'm almost to the point of charging $10 extra per customer who ignores these updates.

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

If only there were solutions to this problem. Maybe if Microsoft ever releases a new version of Windows, there might be a way around some of this stuff. Too bad they haven't released one or two versions since XP came out.

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

In what way does it matter? If a user who is in important, or even key position in a company suffers from reduced efficiency because of the upgrade, it's your head that will roll when he/she complains to the boss.

Use Win 98 then; single user, admin all the time, security a total afterthought. To be fair, Win 98 was designed before the always on network connections were common, certainly for home users.

Say an honest developer makes an application poorly, requiring it to have administrator access to run, and since it was made poorly, it gets cracked. By giving that application administrator access, you gave up a PC and everything it has accessible. Its network shares, database access using windows authentication

Vast majority of "critical people" in the company wouldn't be able to define what "data access" is in the way you reference it. They don't care either, as it's not part of their job description. An frankly, having seen what they have to work with, I understand why. The intricate details of their work look just as arcane to me as IT's work must look to them.

Point is, there's no need for win98 as you reference it - XP runs pretty much all legacy 16-bit stuff good enough, and being 7 years old most of the arc

My experience has been that those Win98/Win 2000/ Win XP applications that fail on Vista/7 fail due to bad or outdated design. Why are they using HKLM or %systemroot%? Allowing that design was part of what made XP and earlier weak.

And if my work is dependent on that application, which is now not being updated, I don't give a shit as long as the damn thing runs. If it doesn't, I will downgrade my OS if necessary.

If my work is dependent on an application that no longer runs on modern operating systems, then I have a problem. I will make the application work, and/or try to find a way to not be dependent on unsupported software that will leave me up shit creek in future. Luckily VMs make it easy to run various operating systems as needed, even if modern hardware is poorly supported by them.

Just a little more time.Let's get it in the open, Vista was a documented Hail Mary from when they lost two entire years of dev time and started over about 2004. 7 is just what Vista should have been if they had planned better.

So now that 7 got the "housekeeping" done, it's time to see what Windows 8 is, with its plans for App Stores vs. whatever evil media tracking tricks get baked into the OS.

Ya see, I run my XP box as user. The Admin account is used only for Admin. Now, in my user mode, the Java and Adobe update icons show up in the tray and when I click on them, after a while of them doing their thing, I get the "You have to have administrative privileges to perform this update." Can I do a "Run as" on those updates? Nope. Gotta log-off and log back on as the admin. "Switch User"? Turned it off for performance reasons.

So, let me get this straight, you have enabled a high(er) security policy, and are now complaining when the higher security policy you have implemented gets in the way of something you want to do. Let's try looking at this another way:

Stupid lock makers! I installed deadbolts in my doors for security, but when I'm outside and I see I've left a light on I have to unlock my doors again to turn that light off! Can I do a "teleport into the room"? Nope. Gotta walk to the door and unlock it! X10? Didn't get the

As it happens, yes. I have a Debian box running MythTV acting as DVR and NAS for my home network. And the same thing happens on linux - Try to run apt-get from a regular user (without sudo, or without sudo privileges) and you get an error message, as intended. My point still stands - Microsoft is not at fault for shortcomings in other people's products, or for security measures you yourself have implemented. Though I guess this is/., and Microsoft-bashing is pretty much par for the course here.

I quite like the approach of just installing to your home directory by default, and offering to install for all users as a secondary option. It works well for single user systems and somewhat limits the damage that can be caused on a multi-user system.

In my opinion too much software is packaged to target some experience in between individual use and corporate use. I like that Google Chrome just installs somewhere and updating just happens without me really being involved or having to prod it along. Minecraf

And no, you shouldn't have to be an admin to install a fucking document viewer.

Correct, user applications should install at the user level. Chrome installed on Win 7 for me under a standard user account. Acrord, Flash, Java require admin level, maybe due to where the updated files are placed or registry, and because they are system applications.

It's *not* a fair comparison for the simple reason that Linux is open source for most part. It can be much harder to find a security vulnerability in a 3rd party software, whereas most applications running on Linux is open source.

Not a single highly or extremely critical advisory issued for the 2.6 kernel, and 42% of the advisories not critical at all. For Windows 7 42% of the advisories for were highly or extremely critical. 66% of the vulnerabilities of windows 7 are remotely exploitable, vs. 15% of 2.6.x

Beside that your comparing less than two years of history to over 7 as well. In addition the environment a

I noticed that. I also noticed they didn't list the vendors I'd call the major offenders: Adobe (Flash, Reader) and Java. I find it a little unlikely none of those products has no open vulnerabilities. However, it says they're only doing responsible disclosure (CVD) and I would as easily believe that Adobe and Oracle are still unwilling to talk about security problems as much as MS just wants to smear Google and Mozilla (sorry, Opera, nobody really sees you as a threat).

Simple fact is many users do not upgrade even when the upgrade is free. People don't even bother to apply free security patches half the time so why would you expect them to also not be using older versions of free products?

It isn't about THEM reading it. It is about being aware what are the potential dangers out their, whether they are from a rogue user that has installed an old version of chrome on the corporate image or an external user that comes into your system remotely or merely interchanges data with your system, the vulnerability doesn't have to be on your own system to affect you.

It is not a hard issue to have with chrome at all. I work with 2 large government departments that BOTH have this issue, chrome website and update are blocked as it is not something that is supposed to be running on end machines and hence not in their whitelist of sites, but their are always a few users with local desktop admin rights that think it is their god given right to run whatever they want on their machine and put a copy on and NEVER update it.

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones. Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

Maybe they're being proactive about the ones they get the most complaints about, hence the biggest ones.

Yes, that's why I mentioned Adobe Flash, Adobe Reader, and Java JRE and wondered why they're not mentioned. Do you pay any attention at all to how malware infections actually occur? I'm sure #1 is and always will be social engineering, but those three applications have to be in the top 5 based on the number of in-the-wild exploits.

Since all software has bugs, you can always find something, so if you go by complaint count, you're going to be sorting by user base, so all you're really doing is finding a roundabout way to list software companies by size. And you get to slag on them and call it a service to your customers. And it's probably 100% legal and righteous.

One would think that MS would be inclined to post security bulletins for the most severe and most widespread issues. As you say, there are bugs in all software, but informing users about those which are the most severe and the most likely to affect them makes then most sense. Nobody cares if Firefox 2.0 has a security vulnerability because nobody uses it and so nobody exploits it. Nobody is going to write an exploit today for a vulnerability which closed over six months ago on a piece of software which is several versions out of date on software which automatically updates itself. It's ludicrous to spend the time warn people about it, and since MS does have a potential conflict of interest by listing 3rd party software, it makes even less sense to only issue security warnings on software they are in direct competition with because that will only serve to call into question MS's impartiality.

Until the competitors start to pay Microsoft to stop doing it.

That will not happen. Read the article. MS is using CVD (aka responsible disclosure) while issuing these reports. Why would a vendor pay to get MS to stop issuing alerts based on cooperative vulnerability disclosures?

Do you actually think they will disclose vulnerabilities without the approval of the company? Then re-read the summary. It says right there that they will coordinate with the third party before the advisory is issued.

Even if they wanted to, if their disclosure cost the third party money, they could be sued. They won't risk that.

Depends on who the "competitors" are. Mozilla? Google? Do you really think Microsoft Research will pull out such a stunt? As far as I can seem it's the dickweeds at the corporate side of Microsoft who bring down its reputation.

Finally something Microsoft is doing right. Fact is, "Windows" it vulnerable as hell not only because of their own crap, but the crap of others... and truth be told, it's probably more other crap that does more damage to Windows than anything else. Okay so there's a combination of stupid in effect... Microsoft can't seem to limit the applications and drivers to prevent them from doing bad things (as they should) and bad apps need backward compatibility... yeah... no... not really but Microsoft seems to think so.

Anyway, keep doing that and a little more and I won't hate Microsoft OSes so much.

I would agree with you if they called out Adobe, Java, IRC programs, News viewers, file sharing, firewalls, routers, server software, websites, etc.

But instead they call out browsers. Browsers that have significant market share on them.
Not only that, but Old browsers with old bugs. I mean if we were to do that we should call out Windows 95/WindowsNT/2000/2003RC1/Vista bugs that they havent patched. Not because they dont support them anymore, but because they are still not fixed in that release iteration.

The registry is no worse and no more complex than/boot/,/dev/,/etc/, and parts of/lib/ combined. That's all the registry is, with a little/home/ thrown in for HKCU. If you honestly believe otherwise, you've honestly never dealt with either system for any extended period with any applications of consequence. It takes maybe one or two hours of serious study to understand how the registry is laid out and what each bit does for the system. It's not hard. People are just intimidated. They think that e

"Microsoft has expanded its vulnerability disclosure policy to include not only those in its own products, but also flaws in third-party software that runs on Microsoft operating systems. These will follow the same practices as the advisories issued for Microsoft's products, and it makes sense, because many users look to Microsoft to ensure that their computers are secure, even when the problem lies with a third-party program. The company will contact and coordinate with the third-party vendor before an adv

A large number of the security holes in Windows apps are caused by flaws in Windows libraries. Calling out others who have used your flawed library has the effect of diluting warnings about yourself. MS won't look so bad if they point their finger at others and say "see, theirs sucks too!"